Keep in mind, you must actually state an objection, not merely cite someone else. If you feel that your objection has already been adequately addressed by someone else, then it is not necessary to repeat it.

Details

Responder

Objections to the Change Proposal to remove the srcdoc attribute

Kornel Lesinski

Proposal is invalid. It debates usefulness of iframe sandboxes, not srcdoc attribute.

Most arguments put forward in the proposal are irrelevant to srcdoc. Even if srcdoc was removed as requested, authors would still be able to secure unsanitised weblog comments using <iframe sandbox src>.

Requested change will not remove the feature that this proposal is actually objecting to.

Goals of srcdoc are: provide better backwards compatibility, more convenient escaping, reduce number of HTTP requests and remove need for special MIME types for sandboxed content.

The proposal doesn't discuss HTTP-related problems (which arise if src is used instead of srcdoc).

XHTML escaping is a red herring. It's not limited to srcdoc -- all XHTML attributes require correct escaping and character encoding. Every XHTML CMS must deal with this problem, whether it uses srcdoc or not.

The only fragment that discusses backwards compatibility states a problem that srcdoc is meant to solve: "data [URI] would be printed out without the security controls in legacy browsers".

Anne van Kesteren

Although it does not have much priority at the moment, Opera is interested in implementing this feature in due course. We think it makes sense sense as a way of embedding insecure data in an HTML document without requiring extra network traffic. We would therefore like it to remain in the W3C draft.

Jirka Kosek

Julian Reschke

Aryeh Gregor

Two rendering engines, accounting for three of the five largest browsers, are interested in implementing srcdoc. Neither has indicated that they will refrain from implementing it if it's taken out of the W3C spec. I strongly object to removing any feature from the HTML5 spec if browsers plan to implement it or already have, unless it's added to some other W3C spec, because

1) It exposes implementers and authors to patent risk. A major reason for the W3C's existence is to ensure that the web platform can be implemented by any party royalty-free, and the W3C patent policy is a key tool in that effort. Every part of the web platform that is not in some W3C specification increases patent risks for implementers and authors, harming the openness of the web.

2) It will increase divergence between the W3C and WHATWG copies of the HTML specification. This increases author confusion and makes the W3C copy of the standard less useful, as it grows less comprehensive. The HTMLWG's charter also encourages it to pursue convergence with the WHATWG. Hixie has implied that he will retain srcdoc in the WHATWG version even if it's removed from the W3C version: http://krijnhoetmer.nl/irc-logs/whatwg/20100804#l-884

It is not clear to me whether srcdoc will be widely used or not, or whether it will be implemented in all UAs. However, we don't need to decide that right now. The feature will be removed during CR if it doesn't have enough implementations, and there's no good reason to remove it now rather than later. I suggest that the question of whether to remove the feature be deferred until later in the HTML5 spec's development, with the explicit understanding that if enough time passes without implementer adoption, that will be sufficient grounds to revisit the issue.

Tab Atkins Jr.

Webkit is interested in implementing @srcdoc, and has an engineer working on it right now.

Samuel Weinig

@srcdoc provides a useful addition to the web platform, especially when taken in conjunction with @seamless and @sandbox, to provide low overhead (in terms of HTTP traffic) embedded content. It also provides an avenue for authors to provide content that is only visible to @sandbox aware browsers (as long as user-agents are sure to implement both @sandbox and @srcdoc). Apple is interested in implementing this.

Adam Barth

This change proposal reads more like a rant than a technically tight argument for removing the srcdoc attribute. The author seems concerned that not enough folks are interested in the feature for it to be worth including the the spec. In isolation, I might agree with the author, but in combination with @sandbox and @seamless, I think @srcdoc has a lot of value. Certainly removing @srcdoc decreases the value of @sandbox and @seamless significantly.

On balance, I object to @srcdoc being removed from the spec because it's an important piece of the sandbox/seamless/srcdoc package.

Detailed comments below:

[[
The supposed use case for this attribute is weblog comments, but concerns about
HTML security have been resolved with weblog and other application comments
years ago.
]]

That's just patently ridiculous. Cross-site script remains a top security issue with web applications (including blogs) according to many authorities. For example, <http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project> ranks it as #2.

[[
I asked Matt Mullenweg[5], the creator of WordPress, ...
]]

Wordpress is notorious for cross-site scripting (and other) vulnerabilities. Appealing to the creator of WordPress as an authority on security is pretty funny.

[[
This attribute can't be used effectively for potentially years in the future, because web browsers don't print out what's contained in the attributes—not unless specifically directed to do so[8].
]]

That's the case for almost every new feature we add to the web platform. Improving the platform is investing in the future, not the present. If we accepted this rationale, we should remove all new features and go back to the stone age.

[[
Instead of embedding markup in the attribute—something that has been actively discouraged for some time— we can use a data URI with the src attribute
]]

There's been a lot of discussion in the working group about using data URLs instead of srcdoc. Sure, that works, but it's a lot less convenient for authors. For example, if you store HTML data in a database and you want to render it in a sandboxed iframe, you can shove the data into the srcdoc attribute via the DOM and everything works great. There's no need for escaping or encoding. However, if you want to use data URLs, you need to at least URL-escape the HTML first.

[[
I find it unlikely that any approach related to the iframe and sandboxing will ever be used with weblog comments,
]]

That's just pure opinion. I'd rather we based decisions on technical merit rather than opinion.

Keep in mind, you must actually state an objection, not merely cite someone else. If you feel that your objection has already been adequately addressed by someone else, then it is not necessary to repeat it.

Details

Responder

Objections to the Change Proposal to retain the srcdoc attribute

Kornel Lesinski

Anne van Kesteren

Jirka Kosek

I object to retaining srcdoc attribute. Inserting escaped markup into another markup is a bad practice. Markup should be inserted directly as a subtree without any need for escaping. Such content can be parsed directly without need for invocation of another parser instance for content of @srcdoc. Moreover escaped markup in an attribute value is not directly exposed in any widely used API or tree-based data model, including for example DOM, SAX, XDM.

Julian Reschke

It is true that parts of the Change Proposal to remove @srcdoc actually question the usefulness of sandboxed iframes. But that doesn't make the points invalid, they simply need to be evaluated given that context.

If sandboxed iframes are not as useful as advertised (and it doesn't seem this was challenged enough), it might be absolutely the right thing to keep them, but to reduce their badness that we see in @srcdoc (markup in attributes is *the* anti pattern when defining markup languages, right?).